Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system

ABSTRACT

The invention concerns a method for securing a computer system implementing a cryptographic algorithm using Boolean operations and arithmetic operations wherein at least one variable is separated into several parts, in a Boolean separation using a Boolean operation, and in an arithmetic separation using an arithmetic operation, characterized in that, in order to switch from one of these operations to the other, a predetermined number of Boolean and arithmetic operations is performed on said parts and at least one random number, so that for each of the values appearing during the calculation, there is no correlation with said variable.  
     The invention also concerns an associated embedded system.

[0001] Paul Kocher et al. introduced in 1998 [5] and published in 1999the concept of “Differential Power Analysis,” also known as DPA. Theinitial targets were symmetric cryptosystems such as DES or AEScandidates, but public-key cryptosystems have since proven equallyvulnerable to DPA attacks.

[0002] In 1999, Chari et al. [2] suggested a generic countermeasure thatconsisted of separating all the intermediate variables. A similar“duplication” method was proposed by Goubin et al. [4], in a particularcase. These general methods generally sharply increase the amount ofmemory or the computation time required, as noted by Chari et al.Furthermore, it has been demonstrated that even the intermediate stepscan be attacked by DPA, so the separation of the variables must beperformed in every step of the algorithm. This makes the question ofadditional memory and computation time even more crucial, particularlyfor embedded systems such as smart cards.

[0003] In 2000, Thomas Messerges [8] studied DPA attacks applied to theAES candidates. He developed a general countermeasure that consisted ofmasking all the inputs and outputs of each elementary operation executedby the microprocessor. This generic technique allowed him to assess theimpact of these countermeasures on the five AES candidates.

[0004] However, for algorithms that combine Boolean functions andarithmetic functions, it is necessary to use two types of masks. Onetherefore needs a method for converting between the Boolean masking andthe arithmetic masking. This is typically the case for IDEA [7] and forthree of the AES candidates: MARS [1], RC6 [9] and Twofish [10].

[0005] T. Messerges [8] has proposed an algorithm for performing thisconversion. Unfortunately, Coron and Goubin [3] have described aspecific attack showing that the “BooleanToArithmetic” algorithmproposed by T. Messerges is insufficient for protecting oneself againstDPA. Likewise, his “ArithmeticToBoolean” algorithm isn't foolproofeither.

[0006] The object of the present invention is to propose two novel“BooleanToArithmetic” and “ArithmeticToBoolean” algorithms, which haveproven to be foolproof against DPA attacks. Each of these algorithmsuses only operations that are very simple: XOR (exclusive OR), AND,subtraction, and the “shift left” of a register. Our“BooleanToArithmetic” algorithm uses a constant number (equal to 7) ofsuch elementary operations, while the number of elementary operationsinvolved in our “ArithmeticToBoolean” algorithm is proportional (itequals 5K+5) to the size (i.e., the number of bits K) of the registersof the processor.

[0007] Context

[0008] The “Differential Power Analysis” Attack

[0009] “Differential Power Analysis” (DPA) is an attack that makes itpossible to obtain information on the secret key (contained in a smartcard, for example), by performing a statistical analysis of recordingsof electric power consumption measured over a large number ofcalculations with the same key.

[0010] This attack does not require any knowledge of the individualpower consumption of each instruction, or of the position of each ofthese instructions in time. It is applied in exactly the same way assoon as the attacker knows the outputs of the algorithm and thecorresponding consumption curves. It is based solely on the followingfundamental hypothesis:

[0011] Fundamental hypothesis: There is an intermediate variable,appearing during the calculation of the algorithm, such that theknowledge of a few bits of the key, (in practice less than 32 bits)makes it possible to decide whether or not two inputs, (or respectivelytwo outputs), give the same value for this variable.

[0012] The Masking Method

[0013] The present invention concerns the “masking” method suggested byChari et al. [2].

[0014] The basic principle consists of programming the algorithm so thatthe above fundamental hypothesis is no longer verified (i.e., nointermediate variable ever depends on the knowledge of an easilyaccessible subset of the secret key). More precisely, using a keysharing schema, each of the intermediate variables appearing in thecryptographic algorithm is separated into several parts. This way, anattacker is obligated to analyze distributions from several points,which increases his task exponentially in terms of the number ofelements of the separation.

[0015] The Conversion Problem

[0016] For algorithms that combine Boolean functions and arithmeticfunctions, two types of masking must be used:

[0017] A Boolean masking: x′=x⊕r.

[0018] An arithmetic masking: A=x−r modulo 2^(K).

[0019] In this case, the variable x is masked by the random value r,which gives the masked value x′ (or A). Our objective is to find aneffective algorithm for switching from the Boolean masking to thearithmetic masking and vice versa, while making sure that theintermediate variables are de-correlated from the data to be masked,which ensures DPA resistance.

[0020] Throughout the present document, the processor is assumed to beusing K-bit registers (in practice, most of the time K is equal to 8,16, 32 or 64). All of the arithmetic operations (such as addition “+,”subtraction “−,” or doubling “z→2.z” are considered to be modulo 2^(K).For purposes of simplicity, the “modulo 2”” will often be omittedherein.

[0021] To this end, the invention concerns a method for securing acomputer system comprising a processor and a memory, implementing acryptographic algorithm stored in the memory and using Booleanoperations and arithmetic operations, wherein at least one variable isseparated into several parts, in a Boolean separation using a Booleanoperation, and in an arithmetic separation using an arithmeticoperation, characterized in that, in order to switch from either ofthese operations to the other, a predetermined number of Boolean andarithmetic operations is performed, by means of the processor, on saidparts and at least one random number, so that for each of the valuesappearing during the calculation, there is no correlation with saidvariable, the calculation producing a result stored in the memory.

[0022] Advantageously, in order to switch from the Boolean separation tothe arithmetic separation, the method includes the following steps:

[0023] separating all but one of the parts into at least two elements;

[0024] calculating at least two partial results that never depend on allthe elements of a part;

[0025] in order to obtain all but one part of the arithmetic separation,gathering at least two of said partial results.

[0026] Advantageously, the separation of said parts into at least twoelements uses a Boolean operation.

[0027] Advantageously, said gathering of two of said partial results isdone by means of a Boolean operation.

[0028] Advantageously, the Boolean operation used for the separation ofsaid parts into at least two elements is the “exclusive OR” operation.

[0029] Advantageously, the Boolean operation used for the gathering ofsaid partial results is executed by means of the “exclusive OR”operation.

[0030] Advantageously, in order to switch from the Boolean separation tothe arithmetic separation, only the “exclusive OR” and “subtraction”operations are used.

[0031] Advantageously, the Boolean separation into two parts using the“exclusive OR” operation, and the arithmetic separation into two partsusing the “addition” operation, the method is characterized in that, inorder to switch from the Boolean separation to the arithmetic operation,five “exclusive OR” operations and two “subtraction” operations areused.

[0032] Advantageously, in order to switch from the arithmetic separationto the Boolean separation, one defines at least one variable obtained bymeans of a predetermined number of successive iterations from an initialvalue that is a function of at least one random number, throughsuccessive applications of a transformation based on Boolean andarithmetic operations that is applied to said parts of the arithmeticseparation and to said at least one random number.

[0033] Advantageously, said transformation is based on the “exclusiveOR,” “logical AND” and “logical shift left by 1 bit” operations.

[0034] Advantageously, all but one part of the Boolean separation isobtained by applying Boolean operations to said variable or variablesobtained through successive iterations, to said parts of the arithmeticseparation, and to said random number or numbers.

[0035] Advantageously, the Boolean operations applied in order to obtainall but one of the parts of the Boolean separation are the “exclusiveOR” and “logical shift left by 1 bit” operations.

[0036] Advantageously, [the method] for securing a computer system usingK-bit registers, the arithmetic separation into two parts using the“addition” operation and the Boolean separation into two parts using the“exclusive OR” operation, [is] characterized in that, in order to switchfrom the Boolean separation to the arithmetic operation, one uses (2K+4)“exclusive OR” operations, (2K+1) “logical AND” operations, and K“logical shift left by 1 bit” operations.

[0037] The invention also concerns an embedded system comprising aprocessor and a memory and implementing a cryptographic algorithm storedin the memory and using Boolean operations and arithmetic operations,wherein at least one variable is separated into several parts, in aBoolean separation using a Boolean operation, and in an arithmeticseparation using an arithmetic operation, characterized in that, inorder to switch from either of these separations to the other, itincludes conversion means for performing, by means of the processor, apredetermined number of Boolean and arithmetic operations on said partsand at least one random number, so that for each of the values appearingduring the calculation, there is no correlation with said variable, thecalculation producing a result stored in the memory.

[0038] The description that follows is accompanied by a single FIGURErepresenting the configuration of a smart card capable of executing theinvention.

[0039] From the Boolean Masking to the Arithmetic Masking

[0040] To calculate A=(x⊕r)−r, the following algorithm is used:

[0041] “Boolean to Arithmetic” Algorithm

[0042] Input: (x′, r) such that x=x′⊕r.

[0043] Output: (A, r) such that x=A+r.

[0044] Initialize Γ at a random value γ

[0045] T←x′⊕Γ

[0046] T←T−Γ

[0047] T←T⊕x′

[0048] Γ←Γ⊕r

[0049] A←x′⊕Γ

[0050] A←A−Γ

[0051] A←A⊕T

[0052] The “BooleanToArithmetic” algorithm uses 2 auxiliary variables (Tand Γ), 1 call to the random generator, and 7 elementary operations(more precisely: 5 “XORs” and 2 subtractions).

[0053] From the Arithmetic Masking to the Boolean Masking

[0054] To calculate x′=(A+r)⊕r, the following algorithm is used:

[0055] “ArithmeticToBoolean” Algorithm

[0056] Input: (A, r) such that x=A+r.

[0057] Output: (x′, r) such that x=x′⊕r.

[0058] Initialize Γ at a random value γ

[0059] T←2.Γ

[0060] x′←Γ⊕r

[0061] Ω←Γ

x′

[0062] x′←T⊕A

[0063] Γ←Γ⊕x′

[0064] Γ←Γ

r

[0065] Ω←Ω⊕Γ

[0066] Γ←T

A

[0067] Ω←Ω⊕Γ

[0068] FOR k=1 to K−1

[0069] Γ←T

r

[0070] Γ←Γ⊕Ω

[0071] T←T

A

[0072] Γ←Γ⊕T

[0073] Γ←Γ⊕T

[0074] T←2.Γ

[0075] ENDFOR

[0076] x′←x′⊕T

[0077] The “ArithmeticToBoolean” algorithm uses 3 auxiliary variables(T, Ω and Γ), 1 call to the random generator, and (5K+5) elementaryoperations (more precisely 2K+4) “XORs,” (2K+1) “ANDs” and K “shiftlefts”).

[0078] As for the number of random numbers involved in the methodaccording to the invention, it is noted that there may be one or severalof them per variable, and in the case of several variables, there willgenerally be several random numbers, respectively associated with saidvariables.

[0079] The sole FIGURE illustrates the general configuration of a smartcard 1. It includes an information processing means or CPU 2,information storage means 3, 4, 5 of various types (RAM, EEPROM, ROM),input/output means 6 that allow the card to cooperate with a cardreading terminal, and a bus 7 that allows these various elements todialog with one another. The aforementioned conversion means capable ofperforming the Boolean and arithmetic operations specifically include atleast one program stored in the information storage means 3, 4, 5.

[0080] Bibliography

[0081] [1] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, RosarioGennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas, Luke O'Connor,Mohammad Peyravian, David Safford and Nevenko Zunic, “MARS—A CandidateCipher for AES,” Proposal for the AES, June 1998. Available athttp://www.research.ibm.com/security/mars.pdf

[0082] [2] Suresh Chari, Charantjit S. Jutla, Josyula R. Rao and PankajRohatgi, “Towards Sound Approaches to Counteract Power-AnalysisAttacks,” in Proceedings ofAdvances in Cryptology—CRYPTO '99,Springer-Verlag, 1999, pp. 398-412.

[0083] [3] Jean-Sebastien Coron and Louis Goubin, “On Boolean andArithmetic Masking against Differential Power Analysis,” in Proceedingsof Workshop on Cryptographic Hardware and Embedded Systems,Springer-Verlag, August 2000.

[0084] [4] Louis Goubin and Jacques Patarin, “DES and Differential PowerAnalysis—The Duplication Method,” in Proceedings of Workshop onCryptographic Hardware and Embedded Systems, Springer-Verlag, August1999, pp. 158-172.

[0085] [5] Paul Kocher, Joshua Jaffe and Benjamin Jun, “Introduction toDifferential Power Analysis and Related Attacks,”http://www.cryptography.com/dpa/technical, 1998.

[0086] [6] Paul Kocher, Joshua Jaffe and Benjamin Jun, “DifferentialPower Analysis,” in Proceedings of Advances in Cryptology—CRYPTO '99,Springer-Verlag, 1999, pp. 388-397.

[0087] [7] Xuejia Lai and James Massey, “A Proposal for a New BlockEncryption Standard,” in Advances in Cryptology—EUROCRYPT '90Proceedings, Springer-Verlag, 1991, pp. 389-404.

[0088] [8] Thomas S. Messerges, “Securing the AES Finalists AgainstPower Analysis Attacks,” in Proceedings of Fast Software EncryptionWorkshop 2000, Springer-Verlag, April 2000.

[0089] [9] Ronald L. Rivest, Matthew J. B. Robshaw, Ray Sidney and YiqunL. Yin, “The RC6 Block Cipher,” v.1.1, Aug. 20, 1998. Available atftp://ftp.rsasecurity.con/pub/rsalabs/aes/rc6v11.pdf

[0090] [10] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner,Chris Hall and Niels Ferguson, “Twofish: A 128-Bit Block Cipher,” Jun.15, 1998, AES submission available athttp://www.counterpane.com/twofish.pdf

1. Method for securing a computer system implementing a cryptographicalgorithm using Boolean operations and arithmetic operations, wherein atleast one variable is separated into several parts, in a Booleanseparation using a Boolean operation, and in an arithmetic separationusing an arithmetic operation, characterized in that, in order to switchfrom either of these operations to the other, a predetermined number ofBoolean and arithmetic operations is performed on said parts and atleast one random number, so that for each of the values appearing duringthe calculation, there is no correlation with said variable.
 2. Methodaccording to claim 1, characterized in that, in order to switch from theBoolean separation to the arithmetic separation, the method includes thefollowing steps: separating all but one of the parts into at least twoelements; calculating at least two partial results that never depend onall the elements of apart; in order to obtain all but one part of thearithmetic separation, gathering at least two of said partial results.3. Method according to claim 2, characterized in that the separation ofsaid parts into at least two elements uses a Boolean operation. 4.Method according to claim 2, characterized in that said gathering of twoof said partial results is done by means of a Boolean operation. 5.Method according to claim 3, characterized in that the Boolean operationused for the separation of said parts into at least two elements is the“exclusive OR” operation.
 6. Method according to claim 4, characterizedin that the Boolean operation used for the gathering of said partialresults is executed by means of the “exclusive OR” operation.
 7. Methodaccording to claim 6, characterized in that, in order to switch from theBoolean separation to the arithmetic separation, only the “exclusive OR”and “subtraction” operations are used.
 8. Method according to claim 6,the Boolean separation into two parts using the “exclusive OR”operation, and the arithmetic separation into two parts using the“addition” operation, characterized in that, in order to switch from theBoolean separation to the arithmetic operation, five “exclusive OR”operations and two “subtraction” operations are used.
 9. Methodaccording to claim 1, characterized in that, in order to switch from thearithmetic separation to the Boolean separation, one defines at leastone variable obtained by means of a predetermined number of successiveinteractions from an initial value that is a function of at least onerandom number, through successive applications of a transformation basedon Boolean and arithmetic operations applied to said parts of thearithmetic separation and to said at least one random number.
 10. Methodaccording to claim 9, characterized in that said transformation is basedon the “exclusive OR,” “logical AND” and “logical shift left by 1 bit”operations.
 11. Method according to claim 9, characterized in that allbut one part of the Boolean separation is obtained by applying Booleanoperations to said variable or variables obtained through successiveiterations, to said parts of the arithmetic separation, and to saidrandom number or numbers.
 12. Method according to claim 11,characterized in that the Boolean operations applied in order to obtainall but one of the parts of the Boolean separation are the “exclusiveOR” and “logical shift left by 1 bit” operations.
 13. Method accordingto claim 12 for securing a computer system using K-bit registers, thearithmetic separation into two parts using the “addition” operation andthe Boolean separation into two parts using the “exclusive OR”operation, characterized in that, in order to shift from the Booleanseparation to the arithmetic separation, one uses (2K+4) “exclusive OR”operations, (2K+1) “logical AND” operations, and K “logical shift leftby 1 bit” operations.
 14. Embedded system comprising informationprocessing means and information storage means, and implementing acryptographic algorithm using Boolean operations and arithmeticoperations, wherein at least one variable is separated into severalparts, in a Boolean separation using a Boolean operation, and in anarithmetic separation using an arithmetic operation, characterized inthat, in order to switch from either of these operations to the other,it includes conversion means for performing a predetermined number ofBoolean and arithmetic operations on said parts and at least one randomnumber, so that for each of the values appearing during the calculation,there is no correlation with said variable.